Tempting Those Blackhatted Poohs with a Taste of Virtual Honey

It isn’t enough just to run a decent network and to provide essential services to your ever-wanting-more congregation of spoiled users — you also have to protect everything from disgruntled insiders and even more disgruntled outsiders. Honeypots and honeynets give you the ability to provide a few slightly less secure systems to those honey thieves without giving away the whole hive. Larger companies hire full-time staff to secure their networks and keep them secure from the constant barrage of security-smashing attempts by those malcontented demons living in some squalid and unpronounceable distant land. That’s the picture we place in our heads, anyway, to make us feel better about spending a tremendous amount of time and money in hopes of defeating that international spy ring bent on breaking into our high-profile and strategically crucial catering business records.

Don’t laugh; that catering business holds perhaps thousands of valid credit card numbers, expiration dates and owner names in its database. And that’s enough for any Pooh to lick his chops and begin limbering up his greedy little paws for some late night intrusion attempts. Lure him away with the taste of lower-hanging fruit in a honeypot — a virtual honeypot, that is.

Yes, there are real blackhatted Poohs out there who desire to compromise our government’s information, to expose our corporate malfeasance, to upset our financial stability of our beloved banking system and steal credit card numbers from your catering business. The threats exist for real. The solutions also exist — virtual honeypots and honeynets form part of those solutions.

Honeypot Defined

A honeypot is a computer that contains a security flaw or two so that with a moderate amount of work, an unsuspecting intruder can own or compromise that system. The honeypot collects information about the intruder and records his tracks and fingerprints along the way. The honeypot is an intrusion detection system. When you combine multiple honeypots, you have a honeynet. Having more than one system sets the stage more convincingly than a single one, since it more realistically resembles a working network whose administrators have missed some critical patches or failed to plug some less obvious security holes.

Honey Dos and Don’ts

When you create your virtual honeynet, create realistic honeypots. Create a web server, a database server, a file server and possibly a mail server. Patch the systems and plug all but one or two security holes. The security holes that you don’t plug should be less obvious than a security risk that surfaced a year or more ago. Stay a security patch or two behind on all your “sweetened” systems so that it looks to the intruder like your system administrator is a bit lazy but not completely inept.

Place these systems in a virtual LAN (VLAN) providing additional security against breaches outside of this honeynet. At least one honeypot needs Internet access.

To lower the costs associated with providing a virtual playground for discontented Poohs, deploy a free virtualization solution such as Xen, VMware Server or Proxmox.

Adding Virtual Sweetness

Virtual machines allow you to rapidly create and re-create pristine virtual honeypots. Create a backup of a properly configured honeypot virtual machine for future use — perhaps as a template for quicker deployment. Once a virtual machine honeypot succumbs to its attacker, you’ll want to quarantine it for further study and bring up a new replacement. Virtualization streamlines this activity without the effort of actually rebuilding a physical system through a manual rebuild or even some automated deployment or disk duplicating system.

It’s also easier to keep your “golden” honeypot image updated with the patches and security plugs that make sense.

Honeypots make sense in your battle against information theft and virtualization makes it easier to implement and maintain. Remember, though, that honeypots are only one defense against cyber crime and you shouldn’t consider them a security panacea. They’re meant to lead predators away from the real data giving you the opportunity to catch them in the act. It’s a diversionary technique at best. The effectiveness of any security measure requires vigilance and follow-up.

Virtualization doesn’t provide an extra layer of security but is a way to spend less time and effort in maintaining your defenses.

Write back and tell us how you use honeypots and if you use virtual infrastructure for them.

Comments on "Tempting Those Blackhatted Poohs with a Taste of Virtual Honey"

OK, the title is mildly funny, but I fail to see how having a honeypot is actually _useful_ for anything other than catching a really incompetent insider. (I assume anyone competent would not allow himself to be traced back and identified.)

So let\’s say that indeed an intruder attack the honeypot first, and they waste 2 days doing it. So what? Two days later you\’re still in the same position you were at the beginning. Only you spent X days setting up your honeypot, while you might have been doing something useful…

Pretty section of content. I just stumbled upon your website and in accession capital to assert that I get in fact enjoyed account your blog posts. Any way I’ll be subscribing to your feeds and even I achievement you access consistently quickly.